CVE-2025-59854 HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability

HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a...

CVE-2025-35060

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

EUVD-2025-24030

Malicious code in bioql PyPI...

CVE-2025-55009

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...

CVE-2025-55009

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...

CVE-2025-55008 AuthKit React Router: Sensitive auth data rendered in HTML

The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by...

CVE-2025-55009 AuthKit: Sensitive auth data rendered in HTML

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...

CVE-2025-55009

CVE-2025-55009 affects the AuthKit Remix package @workos-inc/authkit-remix. Versions ≤ 0.14.1 expose sensitive artifacts (sealedSession and accessToken) via the authkitLoader, causing them to be rendered into browser HTML. This creates information exposure and potential session/API access risk, a...

CVE-2024-35225 Jupyter Server Proxy has a reflected XSS issue in host parameter

Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting XSS issue. The /proxy endpoint accepts a host path segmen...

GHSA-8PHR-637G-PXRG LibreNMS Cross-site Scripting at Device groups Deletion feature

Summary XSS attacks occurs when application is not sanitising inputs properly and rendering the code from user input to browser which could allow an attacker to execute malicious javascript code. PoC 1. Login 2. Create a device group in /device-groups 3. Name it as " 4. save it 5. Go to services...

LibreNMS Cross-site Scripting at Device groups Deletion feature

Summary XSS attacks occurs when application is not sanitising inputs properly and rendering the code from user input to browser which could allow an attacker to execute malicious javascript code. PoC 1. Login 2. Create a device group in /device-groups 3. Name it as " 4. save it 5. Go to services...

GHSA-9PHH-R37V-34WH lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files

Impact The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in. An attacker can inject a malicious script inline, download resources from another domain, or make...

Cross-site Scripting (XSS)

pimcore/pimcore is vulnerable to Cross-site Scripting XSS. The vulnerability is due to not sanitizing/escaping the values present in the attributes field of Link.php component . The attacker can inject the malicious payload javascript inside attributes field leading to XSS when same page is...

GHSA-6HJC-M38H-7JHH Cross-site Scripting in SEOmatic plugin

A cross-site scripting XSS vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded URL of a malicious web page / file and fileName...

Cross-site Scripting (XSS) - Stored in convos-chat/convos

Description Stored XSS via upload File with format .svg when chatting in private conversation. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of...

Firely/Incendi Spark 安全漏洞

Spark is a public domain FHIR server developed using C. A security vulnerability exists in versions prior to Firely/Incendi Spark 1.5.5-r4, which stems from the lack of a Content-Disposition header in some cases, which could result in carefully crafted files being delivered to the client to be...

UBUNTU-CVE-2020-13239

The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS...

Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploit...

Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploit...

Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploit...